2001 01/19 FRI 16:24 FAX 03 3288 3222 Ktsuragi Patent ^ FOLEY & LARDNER 12)034/057 



hi 



FQ5-511 32 



Claims : 



1. A system comprising: 

a participant subsystem that Is authorized to anonymously 
participate in a plurality of sessions using secret 
information provided by a manager subsystem; and 
5 a reception subsystem that determines whether it is 

acceptable for the participant subsystem to participate in a 
session^ 

wherein 

the participant subsystem comprises: 
10 an anonymous signing section for authorizing 

individual data using the secret Information depending on 
session-related information to produce anonymous 
participation data with anonymous signature, and 
the reception subsystem comprises; 
15 an anonymous signature determining section for 

determining whether received data is anonymous participation 
data with anonymous signature authorized by the participant 
subsystem; and 

a sender match determining section for determining 
20 whether anonymous signatures of arbitrary two pieces of 
anonymous participation data are signed by an Identical 
participant subsystem* 
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2. The system according to claim 1, wherein the 
anonymous signature includes data that is generated by a 
predetermined expression using the session-related 
information and the secret information, wherein the sender 
5 match determining section checks the data Included in the 
anonymous signature of received anonymous participation data. 



3. The system according to claim 2, wherein the 
^fl predetermined expression is represented by raising a 

ill session- dependent base to a power that is dependent on the 



lU 



10 secret information. 

4- The system accoirding to claim 1, wherein the 
anonymous signing section authorizes the individual data based 
on a group signature scheme. 

5 - The system according to claim 1 , wherein the 
15 anonymous signing section authorizes the individual data based 
on an escrowed identity scheme. 



6. The system according to claim 1, wherein the 
anonymous signing section comprises: 

a generator creating section for creating a 
20 session-dependent generator depending on the session-related 
information: 
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a group signing section for signing the individual 
data using the session-dependent generator and the secret 
information to produce anonymous participation data^ wherein 
the anonymous participation data includes data obtained by 
5 raising the session-dependent generator to a power determined 
by the secret inf oirmation; and 

a linkage data generating section for generating 
linkage data indicating a relationship among the session - 
dependent generator and a generator determined by the 
IP' 10 individual data and/or the session-related information. 

Q 7. The system according to claim 6, wherein the secret 

information is represented by {x^ y, v) that satisfies : = 
{y + 6)^'* mod n, where y ^ ^ mod n, n ±b ^ product of two prime 
numbers as used in the RSA cryptography, ^ is a generator that 
15 generates a cyclic group of order n, a is an integer mutually 
prime to n, a is an integer mutually prime to the Euler number 
of n, and 6 is a constant other than 1. 

the generator creating section creates a 
session-dependent generator p-^ corresponding to a session A 
20 and a generator g„ is generated based on the individual data 
m and/or the session A, 

the group signing section sets z ^ g/ and generates 
a first proof statement 
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proving the knowledge of a satisfying ^ = ^^('Sf") # and a second 
proof statement 

proving the knowledge of p satisfying = ^^^P"', 

5 the linkage data generating section sets = 

and generates a third proof statement 

5/3= SKREP(^,/^, ^,/^J[Y^ ^x/^ ^{^J^aV^H) 
proving the knowledge of and ^ have the same power to the 
bases and respectively, 
10 wherein the anonymous participation data is defined 

as (A, m, z, z^, V^. V^. V^^) , 

8 . The system according to claim 7 . wherein 

the anonymous signature determining section checks 
V^, V^, and of the anonymous participation data to determine 
15 whether received data is anonymous participation data with 
anonymous signature authorized by the participant subsystem, 
and 

the sender match determining section checks z of the 
anonymous p€irticipation data to determine whether anonymous 
20 signatures of arbitrary two pieces of anonymous participation 
data are signed by an identical participant subsystem. 



9- The system according to claim 1. wherein the 
anonymous signing section comprises: 
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a generator creating section for creating a 
generator depending on the session-related information; 

a group signing section for signing the individual 
data using the generator and the secret information to produce 
5 anonymous participation data, wherein the anonymous 

participation data includes data obtained by raising the 
session-dependent generator to a power determined by the 
secret information. 

4 10 . The system according to claim 9 , wherein the secret 

J 10 information is represented by (x, y, v) that satisfies: v = 
3 6)^'''modz7, where a' mod /J, the individual data Is denoted 

by m, ^ is a product of two prime numbers as used in the RSA 
I cryptography, ^ is a generator that generates a cyclic group 

of order n , s is an Integer mutually prime to jj, a is an integer 
^ 15 mutually prime to the Euler niimber of n , and 6 is a constant 
other than 1 , 

the generator creating section creates a 
session-dependent generator corresponding to a session A, 
the group signing section sets z = g-/ and generates 
20 a first proof statement 

= SKLOGLOG(^,5r,,a) [a:^ = ^^(^°)]{m) 
proving the knowledge of a satisfying ^ «= sr^^^^^ ' and a second 
proof statement 

= SKROOTLOG{^*^/,^^,a) [p: ^*sr/ = ] (m) 

25 proving the knowledge of p satisfying = ^a^^^K 
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wherein the anonymous participation data 13 is 
designated as {A^ z, V^. P^^) • 



11. The system according to claim 10, wherein 

the anonymous signature determining section checks 
5 v^, and \/j of the anonymous participation data to determine 
whether received data is anonymous participation data with 
anonymous signature authorized hy the participant subsystem, 
and 

the sender match determining section checks z of the 
10 anonymous participation data to determine whether anonymous 
signatures of arbitrary two pieces of anonymous participation 
data are signed by an identical participant subsystem. 

12- The system according to claim 1, wherein the 

anonymous signing section comprises: 
15 a generator creating section for creating a 

session -dependent generator depending on the session-related 

information; 

an escrow identifying section for signing the 

Individual data using the session-dependent generator and the 
20 secret information to produce anonymous participation data, 

wherein the anonymous participation data includes data 

obtained by raising the session-dependent generator to a power 

determined by the secret information: and 
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a linkage data generating section for generating 
linkage data indicating a relationship among the session- 
dependent generator and a generator determined by the 
individual data and/or the session-related information. 

5 13. The system according to olaim 12, wherein the secret 

information is represented by {a, i?) that satisfies 
Z> = (a" - 6)^^" mod n, where /7 is a product of two prime numbers 
as used in the RSA cryptography, p-is a generator that generates 
a cyclic group of order n, ^ is an integer mutually prime to 

10 e is an integer mutually prime to the Euler number of J3, 

and 6 is a constant other than 1, 

the generator creating section creates a 
session- dependent generator corresponding to a session A 
and a generator ff„ is generated based on the individual data 

15 J77 and/or the session A, 

the escrow identifying section sets = ^^^^ ' and 
generates a first proof statement 

V, = SKROOTLOGl^,,5r,,o) [a: ^, =« 
proving the knowledge of a satisfying = and sets 

20 = and generates a second proof statement 

proving the knowledge of p. satisfying = ^a^^*^^ * 

the linkage data generating section sets = ^r^t^*' 
and generates a third proof statement 
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proving the knowledge of and having the same power to the 
bases and respectively, 

wherein the anonymous participation data is defined 
as ^A,. m. z^, z^, z^, V^, V^, V^) , 



5 14. The system according to claim 13, wherein 

the anonymous signature determining section 
determines whether z„/Zj, = is satisfied and checks V^, V^, 
and 1/3 of the anonymous participation data to determine whether 
jf received data is anonymous participation data with anonymous 

Ml 10 signature authorized by the participant subsystem^ and 

s 3 5 

the sender match determining section checks one of 
z^ and of the anonymous participation data to determine 
'Q, whether anonymous signatures of arbitrary two pieces of 

anonymous participation data are signed by an identical 
15 participant subsystem. 

15. The system according to claim 1, wherein the 
anonymous signing section comprises: 

a generator creating section for creating a 
session-dependent generator depending on the session-related 
20 Information; and 

an escrow identifying section for signing the 
individual data using the session- dependent generator and the 
secret Information to produce anonymous participation data, 
wherein the anonymous participation data includes data 
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obtained by raising the session-dependent generator to a power 
determined by the secret information, 

16 - The system according to clajLm 15, wherein the secret 
information is represented by [a. b) that satisfies 
5 I? = [3^ - b)^^^ mod where n ±s a product of two prime numbers 
as used in the RSA cryptography. ^ is a generator that generates 
a cyclic group of order /j, a is an Integer mutually prime to 

e is an integer mutually prime to the Euler number of 
and & is a constant other than 1, 
10 the generator creating section creates a 

session-dependent generator corresponding to a session -4, 

the escrow identifying section sets -r, = ^a^^^^ 
generates a first proof statement 

= SKROOTLOG(^^,^^,a) [a: = 5^^(^*)](m) 
15 proving the knowledge of a satisfying ^. and sets 

= ^^(^^ and generates a second proof statement 

I/, = SKROOTLOG(-r^,^,,d)[P: = ^^(^")l(ni) 
proving the knowledge of p satisfying -a-^ = 9^^^"^ * 

wherein the anonymous participation data is defined 
20 as {A. m. z^. z^. V^, V^) . 



17, The system according to claim 16, wherein 

the anonymous signature determining section 
determines whether z^/z^, = ^J" is satisfied and checks P^^ and 
of the anonymous participation data to determine whether 
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received data ±s anonymous participation data with anonymous 
signature authorized by the participant subsystem, and 

the sender match determining section checks one of 
and of the anonymous participation data to determine 
5 whether anonymous signatiurss of arbitrary two pieces of 
anonymous participation data are signed by an identical 
participant subsystem. 



? 3 



E-3 3 



18- An anonymous participation authority management 
method for a system comprising: 
10 a participant subsystem that is authorized to anonymously 

participate in a plurality of sessions using secret 
Information ; and 

a reception subsystem that determines whether it is 
acceptable for the participant subsystem to participate in a 
15 session, 

the method comprising the steps of: 
at the participant subsystem, 

a) authorizing Individual data using the secret 
information depending on session-related information to 

20 produce anonymous participation data with anonymous 
signature; 

at the reception subsystem, 

b) determining whether received data is anonymous 
participation data with anonymous signature authorized by the 

25 participant subsystem; and 



2001 01/19 FRI 16:27 FAX 03 3288 3222 Ktsura&i Patent -» FOLEY & LARDNER i 044/057 

4 # 

FQ5-511 42 

c) determining whether anonymous signatures of 
arbitrary two pieces of anonymous participation data are 
signed by an identical participant subsystem, 

19, The method according to claim 18, wherein the 
5 anonymous signature includes data that is generated by a 
predetermined expression using the session-related 
information and the secret information, wherein the step (c) 
is performed by checking the data Included in the anonymous 
'''4 signature of received anonymous participation data. 

iJI 

! - 3 

=3 10 20. The method according to claim 19, wherein the 

predetermined expression is represented by raising a 
session -dependent base to a power that Is dependent on the 
secret information . 

= y 

21. The method according to claim 18, wherein the step 
15 (a) comprises the steps of: 

creating a session-dependent generator depending on 
the session-related Information; 

signing the Individual data using the session- 
dependent generator and the secret Information to produce 
20 anonymous participation data, wherein the anonymous 

participation data Includes data obtained by raising the 
session-dependent generator to a power determined by the 
secret information; and 



2001 01/19 FRI 16:28 FAX 03 3288 J222 Ktsura&i Patent ^ FOLEY & LARDNER @045/057 




FQ5-5H 43 



generating linkage data Indicating a relationship 
among the session-dependent generator and a generator 
determined by the individual data and/or the session-related 
information . 



22. The method according to claim 18, wherein the step 
(a) comprises the steps of: 

creating a session-dependent generator depending on 
the session-related information; and 

signing the individual data using the session- 
dependent generator and the secret information to produce 
anonymous participation data, wherein the anonymous 
participation data includes data obtained by raising the 
session-dependent generator to a power determined by the 
secret information , 



